pam_ldap & binddn
Christos Ricudis
ricudis at komodino.itc.auth.gr
Tue Sep 5 17:08:44 EEST 2006
Antonis Christofides wrote:
> Εκείνο που με χαλάει σ' αυτή την ιστορία, αν την έχω καταλάβει καλά,
>
... einai oti den thn exeis katalabei kala :)
To binddn kai to password poy orizeis sto pam.conf anhkoun se enan proxy
user o opoios exei dikaiwmata read se olo to dentro, EKTOS apo to
userPassword attribute. (dokimase me thn ldapsearch kai 8a deis).
H diadikasia panw katw paei ws ekshs :
O user dinei username (paparas) kai password (123)
To pam_ldap kanei bind ta proxy credentials ston LDAP server kai stelnei
ena search gia (uid=paparas) h o,tidhpote allo search filter tou exeis
orisei.
O LDAP server tou epistrefei to DN tou user
(uid=paparas,ou=accounting,dc=fucked-up-organization,dc=gr)
Twra poy to pam_ldap gnwrizei to DN tou user :
Kleinei to connection tou proxy user
Dokimazei na kanei bind ston LDAP server me to DN tou user kai to
password pou exei dwsei.
An to bind epityxei, to pam_ldap epitrepei prosbash.
Se kammia periptwsh o proxy user den exei read dikaiwmata sto
userPassword attribute.
Bebaia opoiosdhpote user exei fysikh prosbash se kapoion client, pragma
pou synh8ws shmainei oti mporei paneykola na parei root access, mporei
epishs paneykola na fytepsei pentakosious ekshnta efta password sniffers
se ka8e client.
Ypopshn oti kata th diadikasia tou bind, ta user credentials
metaferontai se plain text. Ayto shmainei oti opoiosdhpote mporei na
xrhsimopoihsei ena sniffer sto diktyo sou, mazeyei anetotata passwords.
Gi'ayto den synistatai h xrhsh akryptografhtou LDAP gia authentication.
To pam_ldap yposthrizei TLS akribws gi ayto to skopo, alla an 8es th
gnwmh moy, einai manoura.
Giati den xrhsimopoieis kerberos gia authentication?
--
Christos Ricudis ricudis at itc.auth.gr
Systems Administrator +30-2310-998656
IT Support Center
Aristotle University of Thessaloniki, GREECE
More information about the Linux-greek-users
mailing list